# All Your Biases Belong To Us Breaking RC4 in WPA TKIP and TLS pdf pdf

## All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS

To abuse Mantin’s AB SAB bias we inject known plaintext around the cookie, and ex-ploit this to calculate Bayesian plaintext likelihoods over 1 1 = Z 2 ] = 2 −8 (1 − 2 −8 ) was found byPaul and Preneel [33]. These bi- ases depend on the public counter i of the PRGA, and arelisted in Table 1 (ignoring the condition on r for now).

### 1 Introduction RC4 is (still) one of the most widely used stream ciphers

To abuse Mantin’s AB SAB bias we inject known plaintext around the cookie, and ex-ploit this to calculate Bayesian plaintext likelihoods over 1 1 = Z 2 ] = 2 −8 (1 − 2 −8 ) was found byPaul and Preneel [33]. These bi- ases depend on the public counter i of the PRGA, and arelisted in Table 1 (ignoring the condition on r for now).

### 2 Background We introduce RC4 and its usage in TLS and WPA-TKIP

### 2.1 The RC4 Algorithm

With the length of the gap S de-noted by g, the bias can be written as:Pr [(Z Another long-term bias was found by Mantin [24]. He discovered a bias towards the pattern ABSAB, where A and B represent byte values, and ) Table 1: Generalized Fluhrer-McGrew (FM) biases. Here i is the public counter in the PRGA and r the posi- tion of the first byte of the digraph.

### 2.2 TKIP Cryptographic Encapsulation

## IP TCP MIC

With the length of the gap S de-noted by g, the bias can be written as:Pr [(Z Another long-term bias was found by Mantin [24]. He discovered a bias towards the pattern ABSAB, where A and B represent byte values, and ) Table 1: Generalized Fluhrer-McGrew (FM) biases. Here i is the public counter in the PRGA and r the posi- tion of the first byte of the digraph.

### 3 Empirically Finding New Biases

When expecting only a few outliers, the M-test of Fuchs and Kenett can be asymptotically more pow-erful than the chi-squared test [14]. After all, this probability includesthe single-byte biases, while we only want to report the strength of the dependency between both bytes.

### 3.1 Soundly Detecting Biases

For all digraphs, the sign of the relative bias q is the same as its long-term variant as listed in Table 1. Here we first generate several keystreams, and then update the coun-ters in a sorted manner based on the value of Z a .

### 3.3 New Short-Term Biases

4 ] = 2 −8 (1 − 2 −9.622 ) (5)Note that all either involve an equality with Z 1 or Z 3.3.3 Single-Byte BiasesWe analysed single-byte biases by aggregating the consec512 dataset, and by generating additional statis-tics specifically for single-byte probabilities. The aggre- gation corresponds to calculating 2 Pr [Z r = k] = 255∑y =0 Pr [Z r = k ∧ Z r +1 = Z Pr [Z 47 (1 − 2 1 [Z = 0] found by Isobe et al.

### 2 Arguably our most intriguing finding is the amount of

Our new bias, in the form of Pr 64 96 128 160 192 224 256 Bias 1Bias 3 Bias 5 1 32 1 2−7 2−8 2−9 2−10 2−11 Position other keystream byte (variable i)Absolute relativ e bias 3.3.2 Influence of Z and Z = 03) Z i i = 0 ∧ Z 2 = i 5) Z i = 257 − i ∧ Z 1 = 12) Z = i − 1 ∧ Z information the first two keystream bytes leak. More precisely, let us assume that all keystreamvalue pairs in the set I are independent and uniform: 2 and k 1 (13)We found this formula can be optimized if most key- stream byte values k Nµ1,µ2k1,k2 ) k1 ,k2 (p ) (15) where ∏k1 For example, when applied to the long-term keystream setting over Fluhrer-McGrew biases, roughly 2 , respectively.

### 4 Plaintext Recovery

### 4.1 Calculating Likelihood Estimates

This was extended to a pair of dependent keystream bytes in the obvious way: µ λ = |{C ∈ C | C = k ⊕ µ}|(10) Nµk represents the number of times the keystream byte was equal to k, assuming the plaintext byte wasµ: µk ). The AB SABbias can then be written as: and b P [ b g r Similarly we use b C r r , Z r ⊕ Z r = (Z Zg r as: b g r likelihood of the differential between the known and un- known plaintext. We define the differential b Z we getPr Cg r (21)Using this notation we see that this is indeed identical to an ordinary likelihood estimation.

### 4.4 List of Plaintext Candidates

This meansthe transition probabilities for moving from one state to another, which normally depend on the current time, willnow depend on the position of the byte. To better maintain numeric stability, and to make the computationmore efficient, we perform calculations using the loga- rithm of the likelihoods.

### 2 E

We use the single-byte variant of the attack [30, §4.1] to obtain likelihoods λ 2 We rely on the attack of Paterson et al. During the last round of the outer for-loop, theloop over µ L and last byte m 1 The simplest form of such an algorithm keeps track of the N best candidates ending in a particular valueµ, and is shown in Algorithm 2.

### 5 Attacking WPA-TKIP

Therefore, we can apply ex-actly the same technique (i.e., candidate generation and pruning) to derive the values of these fields with high 218 210 require the ability to run JavaScript code in the victim’s 5 browser [9, 1, 2]. Since the total size of the LLC/SNAP, IP, and TCP header is 48 bytes, the MIC and ICV would be located at posi-tion 49 up to and including 60 (see Fig. 2).

### 5.3 Decrypting a Complete Packet

Using a traceroute command we count the number of hops between the server and the client, allowing us toderive the TTL value at the victim. 2.2 that this MIC key is valid as long as the victim does not renew its PTK, and that it canbe used to inject and decrypt packets from the AP to the victim.

### 5.4 Empirical Evaluation

6.1 Injecting Known Plaintext We want to be able to predict the position of the targeted cookie in the encrypted HTTP requests, and surround itwith known plaintext. As in previous attacks on TLS [9, 1, 2], we ac- complish this by assuming the attacker is able to executeJavaScript in the browser of the victim.

### 7 Related Work

By running JavaScript code in the browser of the victim, we were able to execute the attack in practicewithin merely 52 hours. In addition to these, the long-term bias Pr candidates for the cookie can be tested in less than 7 minutes.

### 9 Acknowledgements

On non-negligible bias of the first output byte of RC4 towards the firstthree bytes of the secret key. A new weakness in the RC4 keystream generator and an approach to im- prove the security of the cipher.